FIM portal is functioning strangly!
I am a EA for Server 2008 but new to the whole Identity Management platform and have just built a lab for FIM 2010. I have succeeded to install all the components by following the instructions on these TechNet sites: http://technet.microsoft.com/en-us/library/ff512685%28WS.10%29.aspx http://technet.microsoft.com/en-us/library/ff512686%28WS.10%29.aspx I have configured the ENV so that it assimulates (as much as possible) the real life senarios by installing the various components on different servers as follows: Server01: FIMService Server02: FIMSynchronizationService Server03: SharePoint Services / FIM portal / PasswordReset portal An SQL server 2008 SP1 for all of the components. The problem is that when I connect to the FIM portal from a client (member of the domain) some times it connects other times it does not (the IE displays the FIM page with the "Service not available" message) or some times it connects but when trying to trigger a specific function (Edit My profile, for example), the pupup IE window shows "service not available." However this is solved when I start the IE and connect to the portal localy on the server but still have some functions not working on the client when connecting to the portal but this lasts for a short ammount of time before the web browser on the cloient starts showing "Service not available." I am using IE8 and have enabled ActiveX options on it. I would very much appreciate your help! Regards!
August 26th, 2011 2:14pm

Here's a few things I would be checking: Application and System event logs (e.g. DNS errors) use of FQDN references in the various config files (e.g. web.config file ... check nothing is incorrectly set to reference localhost) System clocks are in sync on each server domain service accounts are being used for WSS app pool and all FIM and related services, and have the necessary access anonymous access on the FIM website is NOT enabled FIM service accounts have the necessary SQL level access WSS server admin and site admin accounts are correctly set WSS server alternate site mappings are correctly set Note that for a user to be able to access the FIM website they will need to have some sort of generic level access at the WSS website level (e.g. Domain Users have read-only access at the IIS level), and that each user must have a FIM Person object with the objectSID correctly loaded from the corresponding AD account. Try the above for starters and let me know how you go :).Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.unifysolutions.net/ourSolutions.cfm?solution=event for just-in-time delivery of FIM 2010 policy via the sync engine
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 3:29pm

Thank you UNIFYBoy for your fast reply! I checked the event viewer in the portal server and this what I found: ============Start of block======================================= Log Name: Application Source: Windows SharePoint Services 3 Date: 2011-08-26 11:38:02 Event ID: 8214 Task Category: Topology Level: Error Keywords: Classic User: N/A Computer: hpvsrv13.mslab.local Description: The description for Event ID 8214 from source Windows SharePoint Services 3 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: A request was made for a URL, http://fimportal, which has not been configured in Alternate Access Mappings. Some links may point to the Alternate Access URL for the default zone, http://hpvsrv13. Review the Alternate Access mappings for this Web application at http://hpvsrv13:16442/_admin/AlternateUrlCollections.aspx and consider adding http://fimportal as a Public Alternate Access URL if it will be used frequently. Help on this error: http://go.microsoft.com/fwlink/?LinkId=114854 the message resource is present but the message is not found in the string/message table Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Windows SharePoint Services 3" /> <EventID Qualifiers="0">8214</EventID> <Level>2</Level> <Task>807</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2011-08-26T09:38:02.000000000Z" /> <EventRecordID>4553</EventRecordID> <Channel>Application</Channel> <Computer>hpvsrv13.mslab.local</Computer> <Security /> </System> <EventData> <Data>A request was made for a URL, http://fimportal, which has not been configured in Alternate Access Mappings. Some links may point to the Alternate Access URL for the default zone, http://hpvsrv13. Review the Alternate Access mappings for this Web application at http://hpvsrv13:16442/_admin/AlternateUrlCollections.aspx and consider adding http://fimportal as a Public Alternate Access URL if it will be used frequently. Help on this error: http://go.microsoft.com/fwlink/?LinkId=114854</Data> </EventData> </Event> ============End of block======================================= Log Name: Application Source: Microsoft.ResourceManagement.PortalHealthSource Date: 2011-08-26 11:39:11 Event ID: 1 Task Category: None Level: Warning Keywords: Classic User: N/A Computer: hpvsrv13.mslab.local Description: The portal was unable to complete a request and showed a user the default error page. An unhandled exception was caught. Check the product diagnostic log file and then check the SharePoint log file. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft.ResourceManagement.PortalHealthSource" /> <EventID Qualifiers="0">1</EventID> <Level>3</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2011-08-26T09:39:11.000000000Z" /> <EventRecordID>4559</EventRecordID> <Channel>Application</Channel> <Computer>hpvsrv13.mslab.local</Computer> <Security /> </System> <EventData> <Data>The portal was unable to complete a request and showed a user the default error page. An unhandled exception was caught. Check the product diagnostic log file and then check the SharePoint log file.</Data> </EventData> </Event> ============End of block======================================= ============Start of block======================================= Log Name: Application Source: Microsoft.ResourceManagement.PortalHealthSource Date: 2011-08-26 12:54:08 Event ID: 10 Task Category: None Level: Error Keywords: Classic User: N/A Computer: hpvsrv13.mslab.local Description: The Portal cannot connect to the middle tier using the web service interface. This failure prevents all portal scenarios from functioning correctly. The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration. Ensure the portal configuration is present and points to the resource management service. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft.ResourceManagement.PortalHealthSource" /> <EventID Qualifiers="0">10</EventID> <Level>2</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2011-08-26T10:54:08.000000000Z" /> <EventRecordID>4579</EventRecordID> <Channel>Application</Channel> <Computer>hpvsrv13.mslab.local</Computer> <Security /> </System> <EventData> <Data>The Portal cannot connect to the middle tier using the web service interface. This failure prevents all portal scenarios from functioning correctly. The cause may be due to a missing or invalid server url, a downed server, or an invalid server firewall configuration. Ensure the portal configuration is present and points to the resource management service.</Data> </EventData> </Event> ============End of block======================================= The thing I noticed is that the last event is the one generated when I try to connect form a client. I have configured an alternative URL in WSS but still useing the domain 'Administrator' account which by default is set as WSS admin and site admin or?? Appreciate your help!
August 26th, 2011 4:49pm

" invalid server firewall configuration" ... have you got firewall rules in place preventing HTTP communication between servers? If not, perhaps antivirus software? I understand what you should use to check the correct port is open is to try using TELNET from a command prompt.Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.unifysolutions.net/ourSolutions.cfm?solution=event for just-in-time delivery of FIM 2010 policy via the sync engine
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 4:58pm

The problem is that it isn't totaly blocked. I don't have very extensive knowlage about WSS but seems that there is somthing triggered when connecting to the fim portal localy on the server which provides connectivity to the clien as well. But after a while the clients start recieving the FIM "service not available" error page. I mean if there's an access rights (account settings) problem so that would mean imossible to connect in any case... I have checked the FW on the FIMService server and it has the 5702 and 5726 open for Identity Manager Service
August 26th, 2011 5:18pm

OK ... let's start checking the various config files ... [inetpub]\wwwroot\wss\VirtualDirectories\80\web.config Check that the following line points to the correct FIM service URI: < resourceManagementClient resourceManagementServiceBaseAddress=http://???????????:5725 timeoutInMilliseconds="60000" /> [Program Files]\Microsoft Forefront Identity Manager\2010\Service Check that the following line points to the FIM webservice URL: < system.serviceModel> <services> <service name="Microsoft.ResourceManagement.WebServices.ResourceManagementService"> <host> <baseAddresses> <add baseAddress=http://???????:5725 /> </baseAddresses> </host> </service> <service name="Microsoft.ResourceManagement.WebServices.SecurityTokenService"> <host> <baseAddresses> <add baseAddress=http://??????:5726 /> </baseAddresses> </host> </service> </services> Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.unifysolutions.net/ourSolutions.cfm?solution=event for just-in-time delivery of FIM 2010 policy via the sync engine
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 5:33pm

I checked the Config file for the 80 site (which located on the WSS/fim portal server) and it points to the FQDN of the FIMService server. However, the one for the FIM service (located on the FIMService server) and found out that both entries point to localhost:port. Chanched that to FQDN of the FIMService server (which actually is the localhost) and restarted the FIM service but this seems had no effect on the problem. I even restrated the WSS site and recyckled applicatiotn pool. Just wondering whether not using SSL has any thing to do with this?
August 26th, 2011 5:51pm

SSL shouldn't be a problem - this should be the same address used by the FIM MA, and in my case I'm using http://localhost:5725/ in my lab (self-contained FIMService and FIMSyncService). If you log on to the FIM Service machine and try browsing to http://localhost:5725 ... what happens?Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.unifysolutions.net/ourSolutions.cfm?solution=event for just-in-time delivery of FIM 2010 policy via the sync engine
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 6:17pm

Also - are you getting any errors thrown in the Forefront Identity Manager event log (Applications and Services logs on the FIM Service machine)? This might tell you if your FIMService is getting hit from the web server ... Also, if the website home page shows OK but you get errors clicking on anything that actually invokes the FIM service, then this could also mean that there's a failure with the FIM Service talking to its own database. Have you checked that you can open a database connection from the FIM service server to the FIMService database using the FIMService identity? One way to test this is to create a .UDL file and configure it the way the FIMService database connection is configured in the registry. Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.unifysolutions.net/ourSolutions.cfm?solution=event for just-in-time delivery of FIM 2010 policy via the sync engine
August 26th, 2011 6:28pm

I know it's a bit of a cop-out, but have you tried rebooting both the FIMService server and the web server?Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.unifysolutions.net/ourSolutions.cfm?solution=event for just-in-time delivery of FIM 2010 policy via the sync engine
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 6:29pm

According to event logs you posted above, you are making attempt to connect http://fimportal to connect to portal. I am thinking this is not the actual server name of the portal machine. If this is the case, you need to configure both app pool account for Sharepoint and FIMService account with SPNs for this value. It shows how to do this in the 'before you begin' document referrned to by the install document for FIM 2010. Your web.config file and the two entries in the FIM Service config file(not the <server>:5725 stuff) should point to fimportal FQDN address as opposed to the server name if you are accessing by this alias name.
August 29th, 2011 6:25am

Hi Bob, Thanks a lot for your attention! I have been checking some settings inside the SQL server since you mentioned that. I found that the FIMService service account has 'FIM_Service_Write' on the FIMService databse. The accoutn is also granted permission to connect and login. I also checked the SQL srver's Activity Monitor and found that both FIMService and FIMSync are connected to thier respective DB and both run a bunch of queries. However, I am wondering whether the entry <resourceManagementClient resourceManagementServiceBasedAddress='FQDN' /> whether this entry should point to the address of the portal server or the address of the FIMService server? From what I see it points to the portal server in the Config file for FIMService server. The same applies to the entry <resourceManagementService externalHostName=FQDN />
Free Windows Admin Tool Kit Click here and download it now
August 30th, 2011 2:58pm

Hi Glenn and thanks for the reply! Yes, that was a connection mapping that I had created and of course I also created SPNs for it but the main problem was always the same (i.e. connecting localy on the WSS/FIM portal is always successful but the case is not the same when connecting from clients)
August 30th, 2011 3:04pm

Did you sort out your problem?Bob Bradley (FIMBob @ http://thefimteam.com/) ... now using Event Broker 3.0 @ http://www.fimeventbroker.com/ for just-in-time delivery of FIM 2010 policy via the sync engine
Free Windows Admin Tool Kit Click here and download it now
September 12th, 2011 3:05pm

I had the same problem that I could connect successfully when I connect locally on the FIM Portal server, but could not connect from the a client/another machine when I use the FQDN and could connect to the ip address of the the fim Portal Server i.e: http://0.0.0.0/identitymanagement. I had a problem with the configuration of the SPN. Double check your SPN Configuration.
September 13th, 2011 12:38pm

Hi and thanks! I have been engaged with another errand but now I hope to be able to investigate mor. I have however checked the post-installation document but this didn't help much since it referes mustly to the configuration of the databases. I am wondering whether the service accounts for FIMSync and FIMService have to be SysAdmins on their respective database. I know that they most be under the installation since they create the databases but not really sure if this has any thing to do with the problem. I have compared the security settings of the browser on the FIM Portal server with those of the browser on my client and the are identical. I must be missing some thing... Regards,
Free Windows Admin Tool Kit Click here and download it now
September 13th, 2011 3:36pm

Hi, Andre is correct, the problem can occur if your SPN is registered on two accounts as the SPN can only apply to one account at a time. When you access the server locally the SPN does not come into play, hence the fact that you don't experience some of the problems when accessing the site locally from the FIM Portal server. Kind regards Visit My Blog: http://theidentityguy.blogspot.com/
September 13th, 2011 4:41pm

I had missed this comment in the "Before you begin: http://technet.microsoft.com/en-us/library/ff512685%28WS.10%29.aspx" document: "Delegation If you are using Kerberos and seperating the FIM Service from the FIM Portal, you will also need to configure Delegation for the FIM Portal server account using Active Directory Users and Computers." What does this mean? What account should be farther delegated in this case? This is exactly how my platform is setup (i.e seperate FIMService and FIM Portal).
Free Windows Admin Tool Kit Click here and download it now
September 14th, 2011 10:08am

Hi, This is part of the SPN we mentioned. Once you create a SPN for an account you can then set the Kerberos delegation that the account as per the guide. The delegation allows additional trust delegated control to be given to the account. This allows the account to be trusted to respond on the <protocol>/<your.server.FQDN.Name> i.e. http/myserver.mydomain.com address. Kind regards JacquesVisit My Blog: http://theidentityguy.blogspot.com/
September 14th, 2011 10:26am

Let's go through how my SPNs look like: Let's assume that my servers are named as follows: Domain= mydomain.local FIMService server = fimservice FIM Portal server = fimportal and my service accounts: FIMService = fimsvc SharePoint application pool = spappool I created these 2 SPNs: setspn -S FIMService/fimportal.mydomain.local mydomain\fimsvc setspn -S HTTP/fimportal.mydomain.local mydomain\spappool Delegations: fimsvc --> FIMService/fimportal.mydomain.local spappool --> FIMService/fimportal.mydomail.local Notice that I haven't created alieces yet and using the FQDN for connecting to web services. The SPNs point to the FIM portal server and not the FIMService server and I am wondering whether this is the problem.
Free Windows Admin Tool Kit Click here and download it now
September 14th, 2011 11:20am

Most definitely, as the SPN can only bind one machine to one host, so you need to make sure that your SPN for sharepoint points to the sharepoint server and the FIM Service points to the FIM service. This mapping will cause an Issue: setspn -S FIMService/fimportal.mydomain.local mydomain\fimsvc setspn -S HTTP/fimportal.mydomain.local mydomain\spappool As they point to the same host.... Visit My Blog: http://theidentityguy.blogspot.com/
September 14th, 2011 1:11pm

Hi again, I have now adjusted the SPNs and they look like this: setspn -S FIMService/fimservice.mydomain.local mydomain\fimsvc setspn -S HTTP/fimportal.mydomain.local mydomain\spappool and then delegated each account to the respective SPN but this did not resolve the problem. Still the same. My question is whether one must delegate each account (FIMService & SharePoint AppPool) to both SPNs?
Free Windows Admin Tool Kit Click here and download it now
September 19th, 2011 10:41am

Here's some information regarding the Kerberos setup: FIM 2010: Kerberos Authentication Setup make sure to also check Paul's blog in the see also section.http://setspn.blogspot.com
September 19th, 2011 9:36pm

This looks very interesting. Wondering why there isn't a central KB for FIM 2010. I will go through this guide and will come back with the results. Thanks!
Free Windows Admin Tool Kit Click here and download it now
September 20th, 2011 9:33am

WOOHOO! It's been a hack of a ride! The clients have now full access to the FIM portal functionality. The article that Thomas referenced (http://social.technet.microsoft.com/wiki/contents/articles/3385.aspx) was the missing bit in my configuration. Many thanks Thomas! Here are the fixes that were applied: Create 2 SPNs on in the hostname format and another in FQDN format for each service account Delegate the FIMService to the FIMService service account Delegate the SharePoint AppPool service account to FIMService service account Create SPNs for MSSQLsvc (SQL server instance) with port number association -- this is missing in the FIM 2010 documentation. Configure the 'applicationHost.config' as mentioned on the article. Many thanks for all who contributed
September 20th, 2011 1:55pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics